Chapter 2/ Overview of Anti-Forensics
rootkit, which placed infected machines in an unstable stated Thus, if a
machine suddenly starts to behave erratically, with the sort of system-wide
stop errors norinally associated with buggy drivers, it may be a sign that it's
been commandeered by malware.
Computer Forensics
If the nature of an incident warrants it, IR can lead to a forensic investigation.
Computer forensics is a discipline that focuses on identifying, collecting, and
analyzing evidence after an attack has occurred,
The goal of a forensic investigation is to determine:
■ Who the attacker was (could it be more than one individual?}.
■ What the attacker did.
■ When the attack took placc.
■ How they did it.
■ Why they did it (if possible: money, ideology, ego, amusement?).
In other words, given a machine's current state, what series of events led to
this state?
Aren't Rootkits Supposed to Be Stealthy? Why AF?
The primary design goal of a rootkit is to subvert detection. You want to pro¬
vide the system's administrator with the illusion that nothing's wrong. If an
incident has been detected (indicating that something is amiss) and a forensic
investigation has been initiated, obviously the rootkit failed to do its job. Why
do we care what happens next? Why study AF at all: Wouldn't it be wiser to
focus on tactics that prevent detection or at least conceal the incident when it
does? Why should we be so concerncd about hindering a forensic investiga¬
tion when the original goal was to avoid the investigation to begin with?
Many system administrators don't even care that much about the specif¬
ics. They don't have the time or resources to engage in an in-depth forensic
analysis. If a server starts to act funny, they may just settle for the nuclear
option, which is to say that they'll simply:
■ Shut down the machine.
■ Flash the firmware.
7. http://blogs.tech]iet.co]Ti/tnsrc/archive/2010/02/1 V/iipdate-restart-issues-after-installing-
msl0-015-and-tlie-alurcon-rootkit.aspx.
38 I Part I
2.2